I’d recommend using unifi/ubiquiti switches. They’re a bit pricey but they’re incredibly solid and you can manage them with a self hosted container of unifi controller software.

A good place to start is one of their 8port POE switches. I have a couple and they’re L3 switches (so you can do VLAN stuff like you want), and I’ve never ever had a problem with any of them. Even with the inexpensive ones their POE budget is pretty good, and great to power other switches or APs. They don’t power some cameras so you might need injectors for some thirsty gear.

The controller software is pretty good, and will let you manage the switches without getting into command line config at first (which can be a crutch so be cautious of that, especially if you want to branch out into other cheaper switches or take advantage of good 2nd hand gear deals you find).

But for your network I think an 8 port and a WAP are a good place to start. Get away from using your combo router as your wireless AP (or use both) and get some VLANs set up, and work on inter-VLAN routing and firewall rules.

How do you want to segment your network?

I recommend you have the following to start:

-management VLAN

-trusted devices

-guest/IoT devices

Just getting those three set up correctly will teach you a lot and let you environment. Firewall/routing rules to allow connections through in certain directions and not others is… fun to get the hang of if you’re new.

What are you planning on using as your router? Your combo router might tie your hands if that’s what you plan to use for everything. Combo routers generally suck at everything. You can get a cheap router also, edgerouter er-x is a fine choice but it’s not the best, but it’ll still outdo whatever you currently have, I’m sure. Put it behind your modem at your network edge and you can manage your vlan routing and your firewall on one device.

Additionally you can set up a VPN server on one of your PCs and set up static routes to allow you to tunnel in and access your network when you’re out (wireguard for the win).

Good luck on your journey! There’s a lot to learn so don’t get frustrated then your stuff doesn’t work. Back up your configs so you can revert back and be REALLY careful because it’s easy enough to make your stuff insecure by trying to make stuff work. Yeah it’ll function but next thing you know you’ve got a ransomware virus on your entire network… Not fun, I hear.

As you set up your VLANs look into VLAN traversal, it’s a means of network attack that allows attackers to cross over from one VLAN to another when you set up trunk/switch ports and VLAN tagging incorrectly. Again, your stuff will work but it’ll be vulnerable (not really a problem at home as long as your firewall works fine but still).

Edit: you can go with a router with several ports but I’d recommend you shy away from that if you have the money for dedicated devices. Routers are better at routing (L3) and switches are better at switching (L2). Their guts are built for different things and your network will be much faster if you use them for their intended purpose.

Not trying to go down a rabbit hole, nor invade your teen’s privacy, but have you done any kind of packet inspection on what’s going out/in? Teens can surprise you with the kind of stuff they’re up to sometimes.

I’m not sure why your resolver started acting up but what you’re describing doesn’t sound like normal cause/effect. Four people on a residential connection, even if you throw in a ton of electronic devices and iot/crap that calls home constantly shouldn’t cause any kind of ISP engagement.

Not like it really matters, for 99.9% of people having a forwarder is easy and just fine and there isn’t good reason to troubleshoot it if there’s a working solution. I’m pretty privacy conscious and I don’t even think having my own forwarder is worth the hassle, I am just choosy about my upstream.

If pi hole is configured to use another DNS it will still forward your request, just not to your ISP DNS server. Essentially you’re providing your DNS requests to a 3rd party, for a slight boost to performance (because they’ll have tons of stuff cached and can do recursive queries faster if you’re requesting a site not in their cache.) Your web pages will load faster because you don’t have an SBC trying to manually figure out what’s the IP for bigfuckdaddyhairbrushemporium.net

The downside is you’re exposing your DNS queries to a 3rd party and it’s a bit of a privacy hit, as the upstream DNS server you select has your public IP correlated with your DNS requests. Doesn’t really matter to most, but it does for some.

Even if your ISP did have something in place to try and prevent abuse I find it unlikely it would trigger over normal traffic. Do you have a huge network/many hosts/exposed services?

You haven’t really given enough information about your config to diagnose.

If you’re able to access it from your local network but not your outside network it’s a port forwarding/firewall or routing issue. My guess is it’s a firewall issue either on your network edge (likely integrated into your router) or on your server that’s hosting immich.

Unless you do one of the following you won’t be able to access it from outside your network:

-set up a VPN and tunnel into your network. Wireguard or tailscale/zerotier will be easiest.

-set up port forwarding correctly. Not my first choice, best to VPN in rather than poke holes in your firewall, especially if you’re a noob.

-set up a reverse proxy. This is a bit more complicated than a VPN or overlay VPN (tail scale etc), but it works fine and will be secure as well.

If you haven’t done one of those three things then you won’t be able to access anything from outside your network, for good reason - your firewall is by default set up to deny connections that are initiated from outside your network, so when you’re trying to connect from the outside it looks at your traffic trying to start a connection to your server and naw dawg’s it.

Edit: just saw from another comment you’re not able to connect from your home Wi-Fi. If that’s the case, are you running a VPN on your phone? That can cause problems. Have you tried using the server’s local IP instead of your external IP? 192.168.x.x most likely. You can try to disable the server’s firewall and see if that lets you connect as well. Is your server on the same subnet as your phone? 192.168.1.x and 192.168.2.x won’t talk unless you set your router up correctly.

Just shooting in the dark here without more info

Edit2: if you’re running inmich in a container or VM your configs on that might not be set up correctly to allow you to reach it as well. It can be a lot of things but my money is on firewall/routing somewhere. Start by making sure you’re trying to connect to the local IP of the server, then try to disable server firewall (don’t forget to enable it again whether that solves it or not), and see if that works.